As of October 2021, vulnerabilities in software under the Linux package manager’s management can be identified by the following methods:
Let’s explain the features of each of them.
This is a method of scanning via Vuls scanner and uploading configuration information to cloud services. Refer to supported environments for the scan targets.
It is recommended to detect images in the container registry using trivy and upload to FutureVuls. It can also be integrated into a CI/CD pipeline. Refer to supported environments for the scan targets.
A method of integrating with cloud service container registries is also available. This is compatible with AWS and GCP DockerRegistries. Refer to supported environments for the scan targets.
Paste scan allows for vulnerability management in environments where it is difficult to introduce scanners.
Execute several commands to obtain configuration information on the server, and just copy and paste the execution result of the command onto the FutureVuls screen to complete registration.
With the developer REST API you can create and update paste servers with REST APIs.
Let’s explain the steps from registering configuration information to performing vulnerability scans.
Add server
> Add PASTE server
Refer to supported environments for the scan targets.
Add PASTE server
Enter server name, OS type, etc.
Paste the list of installed packages
Once registered, you can detect vulnerabilities by clicking on Manual Scan.
If you update the package of the relevant server and change the configuration information, update it from the Edit
button in the Server Information section on the server details screen.
In the next scan, detection processing will be performed based on the updated configuration information. Tasks resolved by package updates are automatically changed to the “Patch_Applied” status.
OS | Version | Kernel Release | Kernel Version | Packages |
---|---|---|---|---|
RHEL | cat /etc/redhat-release | uname -r | - | rpm -qa –queryformat “%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n” |
Amazon Linux | awk ‘{if ($0 ~ /Amazon Linux release (2022 | 2023)/) print $4; else if ($0 ~ /Amazon Linux release 2/) printf("%s %s “,$4, $5); else if ($0 ~ /Amazon Linux 2/) for (i=3; i<=NF; i++) printf("%s “, $i); else if (NF==5) print $5}’ /etc/system-release | uname -r | - |
Debian | cat /etc/debian_version | uname -r | uname -a | awk ‘{print $7}’ | dpkg-query -W -f=”${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n” |
Ubuntu | lsb_release -sr | awk ‘{print $1}’ | uname -r | - | dpkg-query -W -f="${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n" |
Windows | - | - | - | (Get-Hotfix | Select-Object -Property HotFixID | % { If ($_ -match ‘(KB\d{6,7})’) { $Matches[0] }}) -Join ‘,’ |
If you want to register an OS other than the above, display the dialog box for creating a paste server on the FutureVuls screen and confirm it.
Linux packages are updated using the backport mechanism. In FutureVuls, detection processing is performed using Security Tracker or OVAL provided by Linux distributors. These vulnerability databases contain “actually backported version numbers” corresponding to each OS, allowing for accurate detection.
Please refer to the source code of OSS for detailed detection logic of each scan method.
We are often asked if we can accurately detect vulnerabilities by registering OS or package CPEs. Due to frequent false positives, CPE scans for OS packages are not recommended. For more information, please refer to the FAQ>CPE Scan section.